Architecting Multi-Actor Cybersecurity
Summary
Cybersecurity entails a sharing of risk that requires a collective effort to mitigate. A collaborative effort among relevant stakeholders can contribute to understanding the latest threat landscape and commit to reducing vulnerabilities and minimising the impact of incidents. Cyber maturity assessments, that focus on the area of control of an individual company, rest on a relatively narrow evidence base without considering dependencies across extended supply chains. This research is looking at different approaches to building cybersecurity capability across interdependent organisations, considering operational perspectives and the wider engineering solution that cybersecurity needs to be deployed and managed within.
The aim is to utilise Enterprise Systems Engineering (ESE) methods to map resilience and preparation beyond organisational boundaries, and to guide contributions from multiple owners to a mutual cybersecurity. The need for an increasingly distributed situation awareness will be explored through application of ESE to cybersecurity capability development across critical infrastructures.
Systems engineering addresses complex technical systems that involve many stakeholders, ESE is an adaptation of the systems engineering concept to socio-technical environments by including a significant human and organisational aspect. Systems engineering specifies components of functionality using a whole system approach. ESE engineers the interactions between components of a system to enable an expanded set of capabilities. ESE prioritises the interconnectedness and dependencies because the design extends across organisations to achieve the required capability, while acknowledging the limits to cooperation where the interests of different actors are more disparate. Considering the implications of cybersecurity for organisational dynamics, the differences in human and technical aspects of a design are explored, such as interconnection of human capability through IT and OT cross-functional teams, alongside the technical necessity to segment traffic between systems.
Patterns of interaction with Operational Technologies have been changing in recent times with more remote working. In addition, their exposure to supply chain challenges includes a reliance on vendor support and how this is managed across various types of ownership and different responsible areas. This research is designing an Enterprise Systems Engineering (ESE) framework applicable to supply chain challenges considering cybersecurity as a core functional requirement. This framework intends to facilitate cybersecurity improvements across a network of organisations by integrating the contribution of multiple actors to reduce risks and proposing accountability structures. The use of resilience measures is also being investigated as a tool to improve operational resilience across diverse actors with clearer responsibilities for assurance and whole system resilience.
This research also considers the inter-organisational cooperation implied by regulatory efforts with Network and Information Security (NIS) and the opportunity & ability to meet cyber regulatory responsibilities, by looking at how regulatory oversight and operator behaviours are influencing the preparation and response to cybersecurity for critical infrastructure. In particular, the broadening and deepening application of the NIS Directive and how this might aid the area of supply chain challenges. This aims to inform improvements and focus further support where needed the most.
The framework proposed during this research could also be usefully applied to other socio-technical enterprises undergoing change.